Wednesday, 19 April 2017

OWASP Top 10 (2017 Release Candidate) - Thoughts

I understand the importance of highlighting the Underprotected APIs (A10), and I do agree with the importance of it. However, to my eyes this is another stage during a security assessment, while the penetration tester is engaging into testing for different types of Injections (A1)
I believe Injections (A1) should include the Underprotected APIs.
(especially based on the example attack scenarios given in the PDF page 17 for the Top 10 RC)

From what I have seen on several real-world projects, Unvalidated Redirects and Forwards, is a very common security issue (when you manage to identify where it is hiding) but it is not highlighted in security reports (and penetration testing reports) that often. Thus, it seems and fills like, it is not that popular as a finding. 

One of the main reasons this particular security issue is not mentioned that often, is because businesses (the business perspective) see this highlighted risk as a "two-step attack", so, instead of addressing it, they simply "accept the risk".

From what I have seen in different real-life projects, dropping "A10 – Unvalidated Redirects and Forwards" will be mistakenly perceived (misunderstood) as an "insignificant" security issue, while, it can be used to spawn a number of attacks. 

If an attacker manages to redirect/forward a user to a fraudulent website (that looks exactly like the legitimate one), then it is game-over for that user. How many of you remember the issues with the Unicode URLs back in the day? In one case, two companies lost a significant amount of money because of a fraudster, due to this "insignificant" issue.

Just to mention a couple very recent examples: 
or the unvalidated redirect on linkedin, which allowed to download malware from linkedin redirects (even though they were hashing the urls).

So, in my humble opinion, A1 should be Injections that include calls to Underprotected APIs: 
A1 - Injections, including Underprotected APIs

and keep:
A10 - Unvalidated Redirects and Forwards. 

This blog post is intended to be perceived as food-for-thought.